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A Note On Boneh-Gentry-Waters Broadcast 
Encryption Scheme and Its Like 

Zhengjun Cao^, Lihua Liu^’* 


Abstract. Key establishment is any process whereby a shared secret key becomes 
available to two or more parties, for subsequent cryptographic use such as symmetric- 
key encryption. Though it is widely known that the primitive of encryption is different 
from key establishment, we hnd some researchers have confused the two primitives. In 
this note, we shall clarify the fundamental difference between the two primitives, and 
point out that the Boneh-Gentry-Waters broadcast encryption scheme and its like are 
key establishment schemes, not encryption schemes. 
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1 Introduction 


Keeping information secret from all but those who are authorized to see it, is a main objective of 
cryptography. The primitive of encryption can provide the functionality. Over the centuries, a lot 
of mechanisms have been created to deal with the information security issue. 

In 1976, Diffie and Heilman introduced the concept of public-key cryptography and also 
provided a new method for key establishment. But they had not put forth any public-key encryption 
scheme at the time. In 1978, Rivest, Shamir, and Adleman [l^ discovered the first practical 
public-key encryption and signature scheme which is based on the hard mathematical problem of 
factorization. To date, the computational performance of public-key encryption is inferior to that 
of symmetric-key encryption because of much larger working parameters needed. So, public-key 
encryption schemes are generally used to establish a key for a symmetric-key system being used by 
communicating entities 1^. That is to say, key establishment is really intertwined with encryption. 
Then, what is the fundamental difference between key establishment and encryption? 

We hnd all literatures have not specihed the difference. We also find some researchers have 
confused key establishment and encryption. In this note, we shall clarify the difference between 
the two primitive^ and point out that the Boneh-Gentry-Waters broadcast encryption scheme 


and its like [l|. 


lll-ll3l| are key establishment schemes, not encryption schemes. 

^Department of Mathematics, Shanghai 


^Department of Mathematics, Shanghai University, Shanghai, China. 
Maritime University, Shanghai, China. * liulh@shmtu.edu.cn 


1 







2 Key establishment 

Definition 1 [l^ Key establishment is any process whereby a shared secret key becomes available 
to two or more parties, for subsequent cryptographic use. 

Key establishment can be broadly subdivided into key agreement and key transport. A key 
transport protocol is a key establishment technique where one party creates or otherwise obtains 
a secret value, and securely transfers it to the other(s). A key agreement protocol is a key estab¬ 
lishment technique in which a shared secret is derived by two (or more) parties as a function of 
information contributed by, or associated with, each of these, such that no party can predetermine 
the resulting value. Key establishment protocols result in shared secrets which are typically used 
to derive, session keys. For example, the Diffie-Hellman key agreement scheme is such a protocol. 


Table 1: Diffie-Hellman key agreement (basic version) 


Setup 

A prime p and generator g of Z* are selected and published. 

Protocol actions 

(a) A picks a random x,l<x<p — 2, and sends g^ mod p to B. 

(b) B picks a random y,l < x < p — 2, and sends g"^ mod p to A. 

(c) B computes the shared key as K = mod p. 

(d) A computes the shared key as K = mod p. 

Result 

The shared secret K is known to both parties A and B. 


3 Encryption 

Definition 2 Q Let A be a finite set called the alphabet of definition, M be a set called the 
message space, C be a set called the ciphertext space, 1C be a set called the key space. Each element 
e € fC uniquely determines a bijection from A4 to C, denoted by E^. Eg is called an encryption 
function or an encryption transformation. For each d ^ 1C, denotes a bijection from C to A4. 
Dd is called a decryption function or decryption transformation. An encryption scheme consists 
of a set {Ef, ; e € K} of encryption transformations and a corresponding set {Dd : d ^ K} of 
decryption transformations with the property that for each e € 1C there is a unique key d ^ 1C such 
that Dd{Ee{m)) = m for all m & M.. 

The above dehnition is somewhat tedious. We refer to RSA system for a concrete example of 
encryption scheme, which is a well-known public-key encryption and signature scheme. Note that 
at the end of the scheme, both the sender and the intended receiver know the message. 
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Table 2; RSA encryption 


Setup 

Pick two distinct odd primes p and q, 
compute n = pq, 4>{n) = {p — l){q — 1). 

Pick e € Z*, compute d = e~^ mod (j){n) 

Publish n,e and keep d,p,q in secret. 

Encrypting 

For a message m £ Zn, compute c = mod re. 

Decrypting 

Use the secret key d to recover m = mod re. 


4 A difference between key establishment and encryption 

As we see, both Diffie-Hellman key agreement and RSA encryption can ensure the two participa¬ 
tors to know a same thing, whether we call it a shared key or a message. Then, what are the 
differences between key establishment and encryption? It is a pity that we find all literatures have 
not specified the differences. We think the fundamental difference between two primitives is that 

whether the resulting thing is pre-existing. 

Concretely, in an encryption scheme, both two participators use the message as a whole. They do 
not use any components of the message for the related transformations. But in a key establish¬ 
ment scheme, at least one participator has to use some components of the shared key for related 
computations and the final composition. To illustrate this point, we refer to the following Table 3 
for the difference between RSA encryption and Diffie-Hellman key agreement. 


Table 3: The difference between RSA encryption and Diffie-Hellman key agreement 



RSA encryption 

Diffie-Hellman key agreement 

Computation 

c = md mod re, 

m = mod re. 

mod p, mod p, 

K = {g'^Y mod p = {g^Y mod p. 

Result 

Both the two parties know rre. 

Both the two parties know K. 

Characteristic 

m is pre-existing. 

K is not pre-existing. 


5 The Boneh-Gentry-Waters “broadcast encryption” scheme and 
its like are not true encryption schemes 

5.1 The Boneh-Gentry-Waters “broadcast encryption” scheme 


The primitive of broadcast encryption was formalized by Fiat and Naor which requires that the 
broadcaster encrypts a message such that a particular set of users can decrypt the mes sage se nt over 
a broadcast channel. The Fiat-Naor broadcast encryption and the following works [bl. M. Iki. llTI. Il8l| 
use a combinatorial approach. This approach has to right the balance between the efficiency and 
the number of colluders that the system is resistant to. Recently, Boneh et al have constructed 
some “broadcast encrypt” systems. In these systems, the public parameters must be updated to 
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allow more users. But we find the Boneh-Gentry-Waters “broadcast encryption” scheme and its 
like [l|, 3, 0, 0, 11-13] are not true encryption schemes. They are key establishment schemes. For 


convenience, we now relate the Boneh-Gentry-Waters scheme as follows. 

Setup{n): Suppose there are n users in the system. Let G be a bilinear group of prime order p. 
Pick a random generator g € G and random numbers 0,7 € Zp. Compute v = g'^ and gi = 5 ^“*^ 
for i = 1, 2, • • • , n, n -|- 2, • • • , 2n. The public key is set as: 


— {.9i 9li ' ' ' j 9nj 9n+2 ) ■ ■ ■ ) 92n iV). 

The private key for user i € {1, • • • , n} is set as: di = gj. 

Encrypt{S, PK): Let S be the set of the intending receivers. Pick a random t ^ Zp and set 
P = e{ 9 n+i, 9 Y■ The value e{gn+i,g) can be computed as e{gn,gi)- Next, set 

Hdr = ig\{v- Y{gn+i-jf 

\ jes 

and output the pair (Hdr, K). 

Decrypt{S,i,di,}ldic, PK): Parse Hdr as {Co,Ci) and compute 

P Gi)/e(cij • 9n+i—j+ij Co)' 

jes 


5.2 Analysis 

It is easy to see that in the Boneh-Gentry-Waters scheme the shared thing K is not pre-existing. 
It depends on the choice of the encrypter. Moreover, the encrypter has to use its secret component 
t for other computations. Of course, the scheme can be transformed into a regular encryption 
scheme. It only needs to set c = M ■ e{gn+i,gY for a given message M € G in the Encryption 
phase. To recover M, the user with di can compute 

M = c-e{di ■ Y\9n+i-j+i,Co)/e{gi,Ci). 

JSS 

But we should remark that pairings including Weil pairing and Tate pairing are derived from elliptic 
curves [l0] . Both K, M are in the extension field where is the base field of the elliptic curve 
defined over, k is called the embedding degree which is the smallest positive integer such that p 
divides — 1). That means the scheme has to work in some extension of the base field, even 
though the inputting parameters are defined over the base field. That is to say, the scheme has to 
work in a running environment with parameters of 1024 bits, not 160 bits as supposed (someone 
has confused the inputting-parameter’s size with the working-parameter’s size), so as to offer 80 
bits security level. The shortcoming makes the scheme lose its competitive advantages significantly. 
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6 Conclusion 


We clarify the fundamental difference between encryption and key establishment. To the best of our 
knowledge, it is the hrst time to put forth such an explicit principle to discriminate the two prim¬ 
itives. We also remark some schemes are not true encryption schemes, instead key establishment 
schemes. 
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